Regex for Strong Password

This regex enforces a strong password policy requiring at least 8 characters with at least one lowercase letter, one uppercase letter, one digit, and one special character. It uses positive lookaheads to check each requirement independently without enforcing a specific character order. This is a common password strength pattern used in registration forms and account security settings.

Pattern

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$

Test this pattern in the Regex Tester →

What is the regex pattern for Strong Password?

The regex pattern for Strong Password is ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$. This regex enforces a strong password policy requiring at least 8 characters with at least one lowercase letter, one uppercase letter, one digit, and one special character. It uses positive lookaheads to check each requirement independently without enforcing a specific character order. This is a common password strength pattern used in registration forms and account security settings. This pattern is commonly used for registration form validation and password change forms.

Test Examples

Match

Str0ng!Pass

Matches: Str0ng!Pass

Match

P@ssw0rd

Matches: P@ssw0rd

No Match

weakpass

Common Uses

✓ Registration form validation
✓ Password change forms
✓ Security policy enforcement
✓ User onboarding

Variations

Minimum 12 characters

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$

Stricter length requirement

No special char required

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[A-Za-z\d]{8,}$

Only requires mixed case and a digit

With length limit

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,64}$

Caps maximum length at 64 characters

Frequently Asked Questions

Is regex the best way to validate password strength?

Regex works for enforcing basic rules, but modern best practices recommend using libraries like zxcvbn that estimate actual password entropy. NIST guidelines now favor longer passwords over complex character requirements.

What special characters does this allow?

This pattern allows @, $, !, %, *, ?, and &. You may want to expand or customize the allowed special characters based on your system's requirements and character encoding support.

Should I enforce a maximum password length?

You should set a reasonable maximum (e.g., 64 or 128 characters) to prevent denial-of-service through extremely long inputs, but do not set it too low. NIST recommends supporting at least 64 characters.